On the Compliance of Access Control Policies in Web Applications

  • Thanh-Nhan LuongEmail author
  • Dinh-Hieu Vo
  • Van-Khanh To
  • Ninh-Thuan Truong
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 266)


Model-View-Controller (MVC) architecture has commonly used in the implementation of web applications. These systems often incorporate security policies to ensure their reliability. Role-based access control (RBAC) is one of the effective solutions for reducing resources access violations of a system. This paper introduces an approach to check the compliance of a web application under MVC architecture with its RBAC specification. By investigating the system architecture and source code analysis, our approach conducts with extracting a list of resources access permissions, constructing a resources exploitation graph and organizing an access control matrix according to roles of a web application. The approach aims at checking two violation cases of web applications: (i) the presence of unspecified access rules and (ii) the absence of specified access rules. We illustrate the proposed approach by a case study of web based medical records management system.


Compliance Access control policy RBAC Web applications 



This work has been supported by VNU University of Engineering and Technology under Project QG.16.32.


  1. 1.
    Alalfi, M.H., Cordy, J.R., Dean, T.R.: A verification framework for access control in dynamic web applications. In: Proceedings of the 2nd Canadian Conference on Computer Science and Software Engineering, pp. 109–113. ACM (2009)Google Scholar
  2. 2.
    Alalfi, M.H., Cordy, J.R., Dean, T.R.: Automated verification of role-based access control security models recovered from dynamic web applications. In: 2012 14th IEEE International Symposium on Web Systems Evolution (WSE), pp. 1–10. IEEE (2012)Google Scholar
  3. 3.
    Alalfi, M.H., Cordy, J.R., Dean, T.R.: Recovering role-based access control security models from dynamic web applications. In: Brambilla, M., Tokuda, T., Tolksdorf, R. (eds.) ICWE 2012. LNCS, vol. 7387, pp. 121–136. Springer, Heidelberg (2012). Scholar
  4. 4.
    Castelluccia, D., Mongiello, M., Ruta, M., Totaro, R.: WAVer: a model checking-based tool to verify web application design. Electron. Notes Theor. Comput. Sci. 157(1), 61–76 (2006)CrossRefGoogle Scholar
  5. 5.
    Choi, E.H., Watanabe, H.: Model checking class specifications for web applications. In: 12th Asia-Pacific Software Engineering Conference, APSEC 2005, p. 9. IEEE (2005)Google Scholar
  6. 6.
    Di Sciascio, E., Donini, F.M., Mongiello, M., Piscitelli, G.: AnWeb: a system for automatic support to web application verification. In: Proceedings of the 14th International Conference on Software Engineering and Knowledge Engineering, pp. 609–616. ACM (2002)Google Scholar
  7. 7.
    Di Sciascio, E., Donini, F.M., Mongiello, M., Totaro, R., Castelluccia, D.: Design verification of web applications using symbolic model checking. In: Lowe, D., Gaedke, M. (eds.) ICWE 2005. LNCS, vol. 3579, pp. 69–74. Springer, Heidelberg (2005). Scholar
  8. 8.
    Ferraiolo, D., Kuhn, D.R., Chandramouli, R.: Role-Based Access Control. Artech House, Norwood (2003)zbMATHGoogle Scholar
  9. 9.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 224–274 (2001)CrossRefGoogle Scholar
  10. 10.
    Garg, A., Singh, S.: A review on web application security vulnerabilities. Int. J. Adv. Res. Comput. Sci. Softw. Eng. 3, 222–226 (2013)Google Scholar
  11. 11.
    Idani, A.: Model driven secure web applications: the SeWAT platform. In: Proceedings of the Fifth European Conference on the Engineering of Computer-Based Systems, p. 3. ACM (2017)Google Scholar
  12. 12.
    Mead, N.R., Allen, J.H., Barnum, S., Ellison, R.J., McGraw, G.: Software Security Engineering: A Guide for Project Managers. Addison-Wesley Professional, Boston (2004)Google Scholar
  13. 13.
    Principe, M., Yoon, D.: A web application using MVC framework. In: Proceedings of the International Conference on e-Learning, e-Business, Enterprise Information Systems, and e-Government (EEE), p. 10 (2015)Google Scholar
  14. 14.
    Rubenstein, S.: Are your medical records at risk? Wall Street J. (2009)Google Scholar
  15. 15.
    Shklar, L., Rosen, R.: Web Application Architecture. Wiley, Hoboken (2009)Google Scholar
  16. 16.
    Touseef, P., Ashraf, M.A., Rafiq, A.: Analysis of risks against web applications in MVC. NFC IEFR J. Eng. Sci. Res. 5 (2017)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019

Authors and Affiliations

  • Thanh-Nhan Luong
    • 1
    • 2
    Email author
  • Dinh-Hieu Vo
    • 1
  • Van-Khanh To
    • 1
  • Ninh-Thuan Truong
    • 1
  1. 1.VNU University of Engineering and TechnologyHanoiVietnam
  2. 2.Department of InformaticsHai Phong University of Medicine and PharmacyHai PhongVietnam

Personalised recommendations